47b68c398331b1f36e56df66eb412e83ef2897dcd9695fe86335eb7bafc409bd

Analysis

max time kernel
121s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 20:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

11b19c40c61172d2fd0f23afd4e10849.exe
Size

368KB
MD5

11b19c40c61172d2fd0f23afd4e10849
SHA1

b39f54cd31fce3e6f955745fc433118ef08f1d2b
SHA256

47b68c398331b1f36e56df66eb412e83ef2897dcd9695fe86335eb7bafc409bd
SHA512

177f53aae3fd8e75f7c8784707d472b050560dffe897ed1248a89215a2564bce67b364e11dfe8a4942e28cded19ebb3c05da792251e25a178752c12c499fab96
SSDEEP

6144:OvT2BsHkq8xJYd1BeJuESHr4YWzOMlql49e1/lcduanJntih/FlVjf5PfbZjo/JO:02BsHkq8xJYdlEC4YWzZvRMU7i

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	11b19c40c61172d2fd0f23afd4e10849.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	pmduad.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	11b19c40c61172d2fd0f23afd4e10849.exe

Executes dropped EXE 1 IoCs

pid	Process
2992	pmduad.exe

Adds Run key to start application 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /k"	pmduad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /b"	pmduad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /s"	pmduad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /q"	pmduad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /p"	pmduad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /p"	pmduad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /l"	pmduad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /v"	pmduad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /u"	pmduad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /j"	pmduad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /g"	pmduad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /g"	pmduad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /e"	pmduad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /o"	pmduad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /c"	pmduad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /o"	pmduad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /b"	pmduad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /q"	pmduad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /w"	11b19c40c61172d2fd0f23afd4e10849.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /r"	pmduad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /t"	pmduad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /r"	pmduad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /y"	pmduad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /z"	pmduad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /s"	pmduad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /n"	pmduad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /f"	pmduad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /d"	pmduad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /i"	pmduad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /n"	pmduad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /m"	pmduad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /e"	pmduad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /w"	pmduad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /a"	pmduad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /z"	pmduad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /d"	pmduad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /m"	pmduad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /c"	pmduad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /y"	pmduad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /i"	pmduad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /k"	pmduad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /c"	11b19c40c61172d2fd0f23afd4e10849.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /h"	pmduad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /j"	pmduad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /u"	pmduad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /f"	pmduad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /w"	pmduad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /h"	pmduad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /t"	pmduad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /l"	pmduad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /v"	pmduad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /x"	pmduad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /x"	pmduad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pmduad = "C:\\Users\\Admin\\pmduad.exe /a"	pmduad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4356	11b19c40c61172d2fd0f23afd4e10849.exe
4356	11b19c40c61172d2fd0f23afd4e10849.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe
2992	pmduad.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2992	pmduad.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4356	11b19c40c61172d2fd0f23afd4e10849.exe
2992	pmduad.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 2992	4356	11b19c40c61172d2fd0f23afd4e10849.exe	93
PID 4356 wrote to memory of 2992	4356	11b19c40c61172d2fd0f23afd4e10849.exe	93
PID 4356 wrote to memory of 2992	4356	11b19c40c61172d2fd0f23afd4e10849.exe	93

C:\Users\Admin\AppData\Local\Temp\11b19c40c61172d2fd0f23afd4e10849.exe
"C:\Users\Admin\AppData\Local\Temp\11b19c40c61172d2fd0f23afd4e10849.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Users\Admin\pmduad.exe
  "C:\Users\Admin\pmduad.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\pmduad.exe

Filesize
290KB

MD5
4b3a2a9a9b07bddad06bf7d00bf3670c

SHA1
e7b62cfe23bf01639253abfad03bc7e97cafb5b7

SHA256
1e7c734dd8b5ca8eacb8d79d950f0eb2141534ee783b81c08423ce222ee04901

SHA512
973db1f3547cb2f0dd464bac5445e140820963d0377580ae37bf1ebaaa709f1019b90d0a49ae7e613d64dc1e6cdc0b5cb9f1e7b158b83282fad7c5299f6e4108

Download Submit
C:\Users\Admin\pmduad.exe

Filesize
368KB

MD5
4356f2c66cff62d884cd8a002dfa57ab

SHA1
5e371093fb65a9217123f5836575882e51de115d

SHA256
aaca5a851f44f4eb82c84d20f50a250bb3b4bf13b10326292fdeae8edc4594f4

SHA512
46be00399c2bdf50336c369561e12af31687badd42028b976db0766be2bbc5e7e50e8363078bd6b00149a44e798c68e29fc7ad1d7d93373ceca747fc9846ac53

Download Submit